Method and device for detecting unknown network worms

ABSTRACT

A method and device for detecting a network worm on the network allows early detection of an unknown network worm with less computational quantity based on a change of randomness occurring to network traffic without using a pattern-matching-based worm detecting method or a behavior-based worm detecting method.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to and the benefit of Korean PatentApplication No. 10-2008-0108352 filed in the Korean IntellectualProperty Office on Nov. 3, 2008, and Korean Patent Application No.10-2009-0013412 filed in the Korean Intellectual Property Office on Feb.18, 2009, the entire contents of which are incorporated herein byreference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method for detecting network worms ona network. More particularly, the present invention relates to a wormdetecting method and device for early detection of unknown network wormswith less computational quantity.

2. Description of the Related Art

There are many tools for detecting worms on a network, such as vaccineprograms, IDS, IPS, or firewalls.

However, they are insufficient in detecting worms by using lesscomputational quantity and a small memory space on a huge network. Mostsecurity techniques for detecting worms and processing the detectedworms require a large amount of computational quantity and memory space.

The conventional worm detecting methods are classified as apattern-matching-based worm detecting method and a worm-behavior-basedworm detecting method. Their drawbacks are as follows.

First, the worm detecting schemes through pattern matching fail todetect unknown worms.

Next, the schemes for detecting worms based on the worm behavior havemany false positives, and they require a large computational quantityfor detection because many pieces of network information are to be usedso as to detect the worms.

One of the behavior-based worm detecting schemes is to use networkentropy, which however requires a large computational quantity and isdifficult to be applicable to a large capacity and high speed network,for example a backbone network.

Accordingly, the current worm detecting schemes fail to efficientlydetect unknown worms from a huge network.

The above information disclosed in this Background section is only forenhancement of understanding of the background of the invention andtherefore it may contain information that does not form the prior artthat is already known in this country to a person of ordinary skill inthe art.

SUMMARY OF THE INVENTION

The present invention has been made in an effort to provide a wormdetecting method and device for detecting unknown network worms of ahuge network in an earlier stage and with less computational quantity.

An exemplary embodiment of the present invention provides a wormdetecting method including: collecting traffic provided to a network tothus collect passing traffic; generating a first traffic matrix forshowing a characteristic of the traffic in a first time domain beginningat the first time, a second traffic matrix for showing a characteristicof the traffic in a second time domain beginning at a second time thatis an end time of the first time domain, and a third traffic matrix forshowing a characteristic of the traffic in a third time domain beginningat a third time that is an end time of the second time domain to thusgenerate a traffic matrix; eliminating a matrix entry corresponding to alegitimate flow in the first time domain, the second time domain and thethird time domain, and eliminating a matrix entry corresponding to theflow having ended or started at the exact time of the second time andthe flow having ended at the third time from the legitimate flow, andgenerating a legitimate traffic elimination matrix to thus eliminatelegitimate traffic; calculating a rank value of the legitimate trafficelimination matrix to thus calculate a rank value; and determining thenetwork state based on the rank value to thus determine a state of thenetwork.

Another embodiment of the present invention provides a worm detectingdevice including: a traffic collector for collecting traffic provided toa network; a traffic matrix generator for generating a first trafficmatrix for showing a characteristic of the traffic in a first timedomain beginning at the first time, a second traffic matrix for showinga characteristic of the traffic in a second time domain beginning at asecond time that is an end time of the first time domain, and a thirdtraffic matrix for showing a characteristic of the traffic in a thirdtime domain beginning at a third time that is an end time of the secondtime domain; a legitimate traffic eliminator for eliminating a matrixentry corresponding to a legitimate flow in the first time domain, thesecond time domain and the third time domain, and eliminating a matrixentry corresponding to the flow having ended or started at the exacttime of the second time and the flow having ended at the third time fromthe legitimate flow to generate a legitimate traffic elimination matrix;a rank value calculator for calculating a rank value of the legitimatetraffic elimination matrix; and a network state determiner fordetermining the network state based on the rank value.

When the worm detecting method and device according to the embodiment ofthe present invention is used, unknown network worms can be detectedwith less computational quantity and with further improved accuracy inthe earlier stage from the huge network.

Also, when the worm detecting method and device according to theembodiment of the present invention is used, a new and accuracy-improvedmethod for detecting worms based on variation of randomness generated innetwork traffic without using a pattern-matching-based worm detectingmethod or a worm-behavior-based worm detecting method.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of a worm detecting device according to afirst exemplary embodiment of the present invention.

FIG. 2 shows a format of an IP address when a uniform scan is applied.

FIG. 3 shows a format of an IP address when a subnet scan is applied.

FIG. 4 shows a format of an IP address when a sequential scan isapplied.

FIG. 5 shows a mechanism of filtering and rank value measurement used ina worm detecting method according to an exemplary embodiment of thepresent invention.

FIG. 6 shows a Venn diagram representing a principle of filtering and arelationship of traffic matrices according to an exemplary embodiment ofthe present invention.

FIG. 7 shows a graph representing a simulation result with a number ofinfected hosts and rank values.

FIG. 8 shows a graph indicating rank values of two kinds of worms as afunction of scan rate β in a 256×256 traffic matrix.

FIG. 9 shows a graph indicating rank values of two kinds of worms as afunction of scan rate β in a 64×64 traffic matrix.

FIG. 10 shows a graph in which the rank value approaches 0 when thenumber of random scanning worms is sequentially increased in the orderof 0, 1, 2, and 3 under the condition in which one sequential scanningworm is propagated on the network.

FIG. 11 shows a graph showing a relationship among an infection ratio, aworm scan rate, and host population size used for detecting an epidemicof worms through a change of rank values of a legitimate trafficelimination matrix.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In the following detailed description, only certain exemplaryembodiments of the present invention have been shown and described,simply by way of illustration. As those skilled in the art wouldrealize, the described embodiments may be modified in various differentways, all without departing from the spirit or scope of the presentinvention. Accordingly, the drawings and description are to be regardedas illustrative in nature and not restrictive. Like reference numeralsdesignate like elements throughout the specification.

Throughout the specification, unless explicitly described to thecontrary, the word “comprise” and variations such as “comprises” or“comprising” will be understood to imply the inclusion of statedelements but not the exclusion of any other elements. In addition, theterms “-er”, “-or”, and “module” described in the specification meanunits for processing at least one function and operation and can beimplemented by hardware components or software components andcombinations thereof.

A worm detecting method and device according to exemplary embodiment ofthe present invention will now be described with reference toaccompanying drawings.

I. Configuration of a Worm Detecting Device

FIG. 1 shows a block diagram of a worm detecting device according to anexemplary embodiment of the present invention.

As shown in FIG. 1, the worm detecting device 100 is cooperated with afirst network 10, and it includes a traffic collector 110, a trafficmatrix generator 120, a legitimate traffic eliminator 130, a rank valuecalculator 140, and a network state determiner 150.

The constituent elements of the worm detecting device will now bedescribed.

First, the traffic collector 110 collects traffic provided to thenetwork 10.

Next, the traffic matrix generator 120 expresses the characteristic ofthe traffic collected by the traffic collector 110 in a matrix format.In this instance, the traffic matrix generator 120 determines theelement of arranging a corresponding flow (i.e., packet) in the trafficmatrix based on a destination Internet Protocol (IP) address of the flowincluded in the traffic.

The legitimate traffic eliminator 130 eliminates legitimate trafficother than traffic caused by an epidemic of network worms from thetraffic matrix.

The rank value calculator 140 measures randomness by calculating a rankvalue of a legitimate traffic elimination matrix that is acquired byeliminating legitimate traffic by the legitimate traffic eliminator.

Finally, the network state determiner 150 determines the network statesof whether the corresponding network is invaded by a network worm basedon the rank value calculated by the rank value calculator 140.

A worm detecting method by a worm detecting device according to anexemplary embodiment of the present invention will now be described infurther detail.

II. Traffic Matrix Construction by Traffic Matrix Generator

To apply checking of randomness to traffic, traffic is translated intothe form of a matrix. Particularly, the IP address is needed to berepresented in the matrix as it takes on the randomness in the attacktraffic. Further, to catch activity of the network worms, it is neededto view a destination IP address of passing traffic since the wormsrandomly select targets. Today's network worms use a random numbergenerator to maximize their epidemic speed and simultaneously evadedetection.

In designing the traffic matrix construction, it is needed to considerthe fact that four octets in an IP address can have separate dynamicsdepending on a particular strategy employed by the worm in action. Thenetwork worms use different scanning strategies. When the octets of anIP address in the traffic in the network are set to be IP₁, IP₂, IP₃,and IP₄, the IP address can be expressed as Equation 1.IP=IP₁·IP₂·IP₃·IP₄  [Equation 1]

FIG. 2 shows a format of an IP address when a uniform scan is applied.

The Slammer worm and a Code Red worm use the random scan strategy, whichrandomly selects four octets IP₁ to IP₄ of the next target. Thisstrategy is also called a uniform scan.

FIG. 3 shows a format of an IP address when a subnet scan is applied.

The Code Red II, another network worm, uses a scanning strategy withlocal preferences, which is called a subnet scan. The worm performs therandom scan with the probability of ⅛. The worm maintains the same IP₁with the probability of ½, and maintains the same IP₁·IP₂ with theprobability of ⅜.

Hence, the scanning strategy of the code red II is fully random in IP₃and IP₄, and it is partially random in IP₁ and IP₂.

FIG. 4 shows a format of an IP address when a sequential scan isapplied.

The Blaster worm exemplarily uses the sequential scan.

The Blaster worm randomly selects one of IP₁·IP₂, and sequentially scanssubsequent target networks within the Class B network until selectinganother target network. Therefore, IP₁ and IP₂ are random, and thedistribution of IP₃ and IP₄ is sequential.

However, from the perspective of the attacked network, the distributionof destination IP address of the scan traffic may not be random butsequential.

For ease of description, the uniform scan and the subnet scan will bereferred to as a random scan because they have randomness inpredetermined parts of the IP address. The classification of random vs.sequential will be used for the scanning strategies of the network wormsgiven below.

The traffic matrix in the exemplary embodiment of the present inventionis a 256×256 matrix, and elements of the traffic matrix respectivelyhave 1 bit.

When the traffic matrix is a relatively large 256×256 binary matrix, thecomputer requires only a small memory space of 8 Kbyte to process thetraffic matrix.

The 256×256 traffic matrix can represent 65,536 distinct destination IPaddresses at maximum. In this instance, in order to maintain therandomness in the IP address used by the worm, the destination IPaddress of each flow included in the corresponding traffic is to bemapped on the element of the traffic matrix.

When i and j are given as a row index and a column index respectively, acorresponding relationship between the destination IP address of eachflow included in the traffic and the traffic matrix is expressed inEquation 2.i=IP₁⊕IP₃ ,j=IP₂⊕IP₄,  [Equation 2]

where ⊕ denotes a bitwise exclusive OR (XOR) operation.

High randomness is maintained in the scanning strategies adopted by thenetwork worms.

In the case of sequential scan worms, the mapping function performs apermutation due to the XOR, and once the mapping selects each row(XOR'ed IP3), it fills the row with 1's in the permuted order (XOR'edIP4). Resultantly, the corresponding row has entries of 1, and theworm's scan traffic is increased as time is passed so that the number ofrows having the entries of 1 is sequentially increased. Since the rowsreach 0 according to the Gaussian elimination performed by the rankvalue calculator, the rank value is steeply reduced so that the rankvalue approaches 0.

In the case of random scan worms, randomness is maintained since randomentries are increased to the traffic matrix.

When the random scan worm and the sequential scan worm are generatedtogether, the rank value is extremely reduced to be near 0 in a likemanner of the sequential scan worm. The traffic matrix generator 120 forgenerating the traffic matrix allows overwriting when the mappingfunction writes the entry of the traffic matrix to generate the sameresult as the case in which the rank value caused by the sequential scanworm extremely approaches 0 since the traffic caused by the sequentialscan is written on the matrix as the number of hosts infected by wormsis increased.

Once the mapping is defined, the traffic matrix is easily constructed bythe traffic matrix generator 120 of the worm detecting device 100.

When the unit period starts, the traffic matrix is filled with 0's. Theentries corresponding to the respective destination IP addresses in thepassing flow (packet) are overwritten with the value 1. The matrixcontinues to be filled with 1's until the unit period is finished.

In this instance, the duration of the unit period depends on the workingenvironments, and typical values are on the order of seconds including 1second and 10 seconds. The unit period is set to be 1 second in theexemplary embodiment of the present invention, which is based on thepoint that the duration of an illegitimate flow caused by infection bynetwork worms is generally less than 1 second and the duration of anormal flow is generally greater than 1 second.

III. Traffic Filtering Matrix Operations

When the traffic matrix construction is finished for the unit period,the legitimate traffic eliminator 130 of the worm detecting device 100attempts to improve accuracy of attack detection by eliminating thelegitimate flow in the traffic.

The legitimate traffic eliminator 130 filters legitimate traffic byperforming a subsequent operation on the traffic matrix.

Particularly, the legitimate traffic eliminator 130 performs a bitwiseXOR operation on two traffic matrices from consecutive time units toeliminate most of legitimate flow existing in the two consecutivetraffic matrices, and controls the suspicious traffic to remains in theresult matrix. Also, the legitimate traffic eliminator 130 performs abitwise AND operation on two consecutive matrices for long-livedlegitimate traffic.

The present inventor has a patent (registered number: 745613, and title:Network Monitoring Device and Program Storing Recording Medium) fordetecting unknown network worms from a huge network with lesscomputational quantity in the earlier stage.

According to the patent, detailed states of the network are checked byusing rank values of the traffic matrix to which characteristics ofinflow traffic and outflow traffic are applied through the network. Thatis, when the rank value of the traffic matrix is greater than apredetermined normal range, it is determined that it is attacked by thenetwork worms, and hence, the attacks of the worms are found andprocessed in the earlier stage.

The worm detecting method according to the existing invention coulddetect a network attack by a worm with substantial accuracy.

However, in the existing invention by the present applicant, when alegitimate flow begins concurrently at a start time (i.e., time t−1) ofa predetermined time frame with the start time of t−1 and the end timeof t, or it finishes at the end time (i.e., time t), it cannot beeliminated from the matrix.

Therefore, in the worm detecting device 100 according to the embodimentof the present invention, the legitimate traffic eliminator 130increases worm detecting accuracy by applying a new filtering mechanismfor removing the flow that cannot be removed by the existing inventionfrom among the legitimate flow while performing a filtering process forremoving the legitimate flow.

FIG. 5 shows a mechanism of filtering and rank value measurement used ina worm detecting method according to an exemplary embodiment of thepresent invention.

M(t) will be defined to be a traffic matrix that is constructed withtraffic that is collected during the time domain from a time t to a timet+1.

Here, M(t−1) represents a traffic matrix corresponding to trafficcollected in the time domain between t−1 and t, and likely, M(t−2)represents a traffic matrix corresponding to traffic collected in thetime domain between t−2 and t−1.

Further, M(t)⊕M(t−1) indicates a matrix when an XOR operation isperformed on the corresponding entries in M(t) and M(t−1).

The XOR operation is used to remove the overlapped entries, which arenot malicious in a general manner. For example, when there are 4legitimate flows and 1 packet is generated per time unit by a worm, theXOR operation on the simplified 4×4 matrix will generate a filteringresult as expressed in Equation 3.

$\begin{matrix}{{\begin{pmatrix}0 & 0 & 1 & 0 \\1 & 0 & 0 & 1 \\0 & 1 & 0 & 0 \\1 & 0 & 0 & 0\end{pmatrix} \oplus \begin{pmatrix}0 & 0 & 1 & 0 \\0 & 0 & 0 & 1 \\0 & 1 & 1 & 0 \\1 & 0 & 0 & 0\end{pmatrix}} = \begin{pmatrix}0 & 0 & 0 & 0 \\1 & 0 & 0 & 0 \\0 & 0 & 1 & 0 \\0 & 0 & 0 & 0\end{pmatrix}} & \left\lbrack {{Equation}\mspace{14mu} 3} \right\rbrack\end{matrix}$

That is, as can be known from Equation 3, since the legitimate flow hasa duration time that is greater than 1 second, it is shown as 1 at thesame position in the two matrices in the adjacent time domain.Therefore, the component of 1 generated as the result of performing theXOR operation can be considered as an illegitimate packet that isgenerated by epidemic of network worms.

In the case of a normal network, the rank value of the matrixM(t)⊕M(t−1) becomes less than that of M(t) unless there is a surge ofnew legitimate flows to the network at the time of t.

Further, the rank value of the matrix M(t)⊕M(t−1) will be greater thanthat of M(t) when the random scan traffic is increased by an epidemic ofnetwork worms through the network.

After the XOR operation is performed to remove most of the legitimateflow in the corresponding time domain, some legitimate flow will leavetraces in the traffic matrix.

For example, it will include a flow that newly starts or terminates at aspecific time for identifying time domains.

In order to exclude the flow, in the exemplary embodiment of the presentinvention, the legitimate traffic eliminator 130 performs a matrixoperation expressed in Equation 4 to more efficiently eliminate thelegitimate flow.M′(t)=M _(XOR)(t)⊕(M _(XOR)(t)·M(t−2))  [Equation 4]

In Equation 4, M′(t) will be referred to as a legitimate trafficelimination matrix.

Here, M_(XOR)(t) represents an XOR operation by the two consecutivematrices, as expressed in Equation 5.M _(XOR)(t)=M(t)⊕M(t−1)  [Equation 5]

When a legitimate traffic is finished at the time of t−1 or t, diecorresponding traffic may be included in (M_(XOR)(t)·M(t−2)) and it isremoved from M′(t).

In FIG. 5, the circular point represents legitimate traffic, and thecross symbol indicates illegitimate traffic generated by the worm havingattacked the network.

As shown on the bottom of FIG. 5, the legitimate traffic eliminationmatrix that is a traffic matrix after the filtering process according tothe exemplary embodiment of the present invention has an illegitimateflow. The legitimate traffic elimination matrix is used to measure therank value for the subsequent corresponding time frame.

FIG. 6 shows a Venn diagram representing a principle of filtering and arelationship of traffic matrices according to an exemplary embodiment ofthe present invention.

In FIG. 6, starting connections at the time of t may or may not belegitimate, which cannot be determined until the time reaches t+1, andhence, the flow cannot be eliminated at M′(t). Also, it can be checkedthat the flows at the exact times of t−1 and t that can be legitimateflows very probably are eliminated.

IV. Rank Value Measurement

The rank value calculator 140 measures randomness by calculating therank value of the legitimate traffic elimination matrix which isacquired by eliminating legitimate traffic by the legitimate trafficeliminator.

The rank value of the random m×n binary matrix has the probability ofthe following Equation 6.

$\begin{matrix}{{P = {2^{{r{({n + m - r})}} - {n\; m}}{\prod\limits_{i = 0}^{r - 1}\frac{\left( {1 - 2^{i - n}} \right)\left( {1 - 2^{i - m}} \right)}{\left( {1 - 2^{i - r}} \right)}}}}{where}{{r = 1},2,\ldots\mspace{14mu},{\min\left( {m,n} \right)}}} & \left\lbrack {{Equation}\mspace{14mu} 6} \right\rbrack\end{matrix}$

When the rank value is calculated by applying the log₂ function ofEquation 6, Equation 7 is obtained as follows.

$\begin{matrix}{{\left( {m - r} \right)^{2} > {\log_{2}\frac{1}{P}}}{\left( {m - r} \right)^{2} > {\log_{2}\frac{1}{P}}}} & \left\lbrack {{Equation}\mspace{14mu} 7} \right\rbrack\end{matrix}$

That is, assuming that the probability P is 0.001% (i.e., a value near0), the greatest rank value will be 252 in the 256×256 binary matrix.

In other words, a reference value becomes the maximum rank value for aspecific probability P in which the legitimate traffic eliminationmatrix will not be a random matrix.

For example, when a 256×256 binary matrix has a rank value greater than252, it is known that the matrix has a rank value greater than 252 withthe probability of 99.999%.

Hence, when the rank value of the legitimate traffic elimination matrixcalculated by the rank value calculator 140 exceeds a predeterminedvalue, for example, when the rank value is greater than 252 in the256×256 matrix, the network state determiner 150 of the worm detectingdevice 100 determines the network state as one in which thecorresponding network starts being attacked by the network worm.

V. Network Worm Detecting Method

A case in which a random scan type of worm from among the network wormsattacks the network will now be exemplified. Also, it is assumed thatthe epidemic volume of the worm is equal to that of the Slammer worm.

Here, N is a vulnerable population size for a specific worm, L is amonitoring network size (with reference to the number of IP addresses),and α is an infection ratio. Accordingly, αN represents the number ofinfected hosts in the vulnerable population. Also, the worm scan rate βindicates the number of scans per second per worm.

For the simulation, it is set that N=10⁶, β=3×10², 6×10², 10³, andL=2¹⁶. For reference, the value β is appropriate considering that thescan rate of the slammer worm is 26,000 scans/second at maximum,approximately 4000 scans/second per worm on average, and the slow scanrate performed by one of anomalies of the past code red II worms forescaping detection is 300 scans/second. Also, the value of β is set tohave three kinds of values (3×10², 6×10² and 10³) in order to show thatthe current invention is also available for early detecting of worms ofslow scanning.

FIG. 7 shows a graph representing a simulation result with a number ofinfected hosts and rank values.

As shown in FIG. 7, as the number of infected hosts is increased, therank value of the legitimate traffic elimination matrix according to theexemplary embodiment of the present invention is steeply increasedwithin a short time. In the case in which the scan rate by the worm is1000 scans/second, when only 3% of vulnerable hosts are infected on theentire network, the rank value approaches the maximum value of 256exceeding the value of 252. That is, the rank value over 252 is acquiredwhen α=0.03 in the case of N=10⁶, β=10³, and L=2¹⁶. Also, in the case inwhich the scan rates are 600 scans/second and 300 scans/second, when 5%and 10% of the vulnerable hosts are infected on the entire network, therank value approaches the maximum value of 256 exceeding the value of252. That is, the rank value over 252 is acquired when α=0.05 and 0.1and β=6×10² and 3×10² in the case of N=10⁶ and L=2¹⁶.

In the simulation of FIG. 7, the time when the rank value steeplyincreases advances the time when the number of hosts infected by theworm steeply increases by substantially 30 seconds.

In today's world of all automated attacks, human-intervenedcountermeasures are becoming too slow to stop the epidemic. For example,the Slammer worm grows to a full epidemic within 10 minutes in theinternet. However, according to the worm detecting method according tothe exemplary embodiment of the present invention, the worm's attack canbe predicted about several tens of seconds in advance by only sensingthe steep change of the rank value.

With the help of the several tens of seconds acquired by the presentinvention, a necessary measure for preventing worm epidemic or epidemicspeed delay can be applied.

FIG. 8 shows a graph indicating rank values of two kinds of worms as afunction of scan rate β in a 256×256 traffic matrix.

FIG. 9 shows a graph indicating rank values of two kinds of worms as afunction of scan rate β in a 64×64 traffic matrix.

As shown in FIG. 8 and FIG. 9, the 2 kinds of worms are respectively arandom scan worm and a sequential scan worm.

Simulations of FIG. 8 and FIG. 9 are performed by the method in whichnetwork worms (random scan worm and sequential scan worm) are actuallyinjected to the /16 university campus network and they are tracked bythe gateway of the network. Also, the rank value in this instance ismeasured for the case in which 10,000 hosts are infected (α=0.01).

As can be known in common from FIG. 8 and FIG. 9, the rank value of therandom scan worm has dramatically increased as the scan rate increases.

On the other hand, the rank value of the sequential scan worm suddenlyreduces after β=1000.

The above-noted characteristics allows a non-uniform scan worm such asBlaster to be detected by monitoring the single block of the IP addressspace, whereas previous worm monitoring method approaches are effectivewhen their monitoring address space is largely distributed.

That is, as the worm activity intensifies, it drives the matrix rankvalue to be extremely high or extremely low, which is a clearindication. Differing from this, when the network is normal and the wormactivity does not become stronger, the rank value hovers at non-extremevalues as time passes.

FIG. 10 shows that the rank value dramatically approaches 0 if onescanning worm is mixed even if the number of sequential scan worms isincreased, which includes two cases. The first case is a case in whichmany worms having various mixed scans are spread concurrently on thenetwork, and the second case shows that when the sequential scanning isalso used even though an escaping method such as a method for performingscanning while intermittently mixing sequential scanning traffic is usedso as to deceive the characteristic of the random scanning behavior, theworm epidemic can be detected according to detection caused bysequential scanning. This is a result caused by the Gaussian eliminationfor calculating the rank value. In order to calculate the rank valuethrough Gaussian elimination, the XOR operation is performed on the rowsof the matrix because the matrix for calculating the rank value by thepresent skill is a binary matrix. Therefore, when the sequentialscanning worm is propagated, the rows with the entries of 1 in thematrix are repeatedly and sequentially provided, which is generatedbecause of all become 0 by Gaussian elimination.

The above-noted result generates the result shown in Equation 8.Equation 8 exemplifies a 4×4 matrix so as to check the fact thatmatrices with all entries of 1 are changed into 0 by Gaussianelimination. When all the entries sequentially have 0 from the first rowto the third row by the sequential scanning worm, one row such as theright matrix and other rows are changed into rows having 0's by the XORoperation according to the Gaussian elimination for solving the rankvalue. The rank value is dramatically reduced to be near 0 when thesequential scanning worm is spread by the effect of the Gaussianelimination.

$\begin{matrix}\left. \begin{pmatrix}1 & 1 & 1 & 1 \\1 & 1 & 1 & 1 \\1 & 1 & 1 & 1 \\0 & 0 & 1 & 0\end{pmatrix}\Rightarrow\begin{pmatrix}1 & 1 & 1 & 1 \\0 & 0 & 0 & 0 \\0 & 0 & 0 & 0 \\0 & 0 & 1 & 0\end{pmatrix} \right. & \left\lbrack {{Equation}\mspace{14mu} 8} \right\rbrack\end{matrix}$

VI. Determination of Number of Scanning Packets

When the rank value is increased to exceed a threshold value such as252, the number of scanning packets to be collected to the trafficmatrix so as to be on the alert for imminent onset of a worm epidemiccan be produced from subsequent calculation.

γ is defined to be a random factor, and a random binary matrix with anextremely high rank value is filled with γm²-numbered 1's.

In this instance, in order for a random scanning worm to randomly changethe entries written as 0 in the traffic matrix to a sufficient number of1's γm² scanning packets are needed.

However, the required number of random scanning packets is less thanγm².

This is because, as described above, the non-zero entries in M′(t) areapproximately doubled after eliminating the legitimate traffic from thetraffic matrix (e.g., M(t)⊕M(t−1) operation).

Therefore, the random m×m matrix can be built with half the γm².

Hence, the number of scanning packets to be collected for warning onsetof worm epidemic can be expressed as Equation 9.αN·β·L/2³² ≧γ·m ²/2  [Equation 9]

The parameters N, β, α, and L are determined independently from thestate of whether the result matrix M′(t) is random or not. That is, theparameters N and L are determined by host and network configurations, βis determined by a worm attribute, and m is determined by an anomalydetecting module configuration. Also, the parameter γ is a property ofmatrix randomness and is determined by m.

Table 1 shows a random factor traffic matrix relationship.

TABLE 1 m 32 64 128 256 512 1024 γ 0.063 0.041 0.025 0.014 0.008 0.005

The average random factor γ can be experimentally measured throughiterations of random matrix construction, which is shown in Table 1.

When a small fraction of the traffic matrix region is activated by therandom scan packet, randomness can be detected through the rank value ofthe legitimate traffic elimination matrix according to the wormdetecting method of the embodiment of the present invention.

Further, Table 1 can be considered from the viewpoint of sensitivity ofthe rank metric when it is used for randomness detection.

Interplay among the parameters can be well understood according toEquation 9.

That is, the worm epidemic can be detected in the earlier stage byincreasing the worm scan rate β while the infection ratio α is low.

For example, the worm scan rate β is given as 1000 when the infectionratio α is 0.03 in the simulation shown in FIG. 11, and the infectionratio α is reduced to 0.01 when the worm scan rate β is increased to3000 in the same condition. That is, the worm can be detected when theinfection ratio is further low (i.e., the worm is less spread in thenetwork).

The inverse proportionality between α and β shown in Equation 9 realizesfaster worm detection by increasing the scan rate for the worm withfaster epidemic speed by the worm detecting method according to theexemplary embodiment of the present invention.

FIG. 11 shows a graph showing a relationship among an infection ratio, aworm scan rate, and host population size used for detecting an epidemicof worms through a change of rank values of a legitimate trafficelimination matrix.

For example, when the vulnerable host population size N is 10⁵ to 10⁶and the worm scan rate β is 5000 to 10,000, the infection ratio α of thehost in the network by the detected worm is 0.3% to 1.2%, which can bechecked by the graph of FIG. 11.

That is, when the worm detecting method according to the embodiment ofthe present invention is used for the parameter range of a global wormepidemic, the network worm having attacked the network can be detectedat the early time such that sufficient time for processing the wormepidemic can be obtained.

As described above, the matrix is a convenient data structure withwell-defined power operations in applying various operations fordetecting the worms attacking through the network in the earlier stage.According to the present invention, the state of whether the worm hasattacked the network can be easily determined according to the rankvalue size by constructing a traffic matrix from network traffic as amatrix based attack detecting mechanism and measuring the rank valueafter filtering the legitimate traffic.

Further, the matrix approach according to the embodiment of the presentinvention is applicable not only for detecting network worms but alsofor other types of attacks for increasing randomness in the networktraffic.

The above-described embodiments can be realized through a program forrealizing functions corresponding to the configuration of theembodiments or a recording medium for recording the program in additionto through the above-described device and/or method, which is easilyrealized by a person skilled in the art.

While this invention has been described in connection with what ispresently considered to be practical exemplary embodiments, it is to beunderstood that the invention is not limited to the disclosedembodiments, but, on the contrary, is intended to cover variousmodifications and equivalent arrangements included within the spirit andscope of the appended claims.

The invention claimed is:
 1. A worm detecting method comprising the stepof: collecting, by a worm detecting device, traffic provided to anetwork to thus collect passing traffic; generating, by the wormdetecting device, a first traffic matrix for showing a characteristic ofthe traffic in a first time domain beginning at a first time, a secondtraffic matrix for showing a characteristic of the traffic in a secondtime domain beginning at a second time that is an end time of the firsttime domain, and a third traffic matrix for showing a characteristic ofthe traffic in a third time domain beginning at a third time that is anend time of the second time domain to thus generate a traffic matrix;eliminating by the worm detecting device, a matrix entry correspondingto a legitimate flow in the first time domain, the second time domainand the third time domain, and eliminating a matrix entry correspondingto the flow having ended or started at the exact time of the second timeand the flow having ended at the third time from the legitimate flow,and generating a legitimate traffic elimination matrix to thus eliminatelegitimate traffic; calculating by the worm detecting device, a rankvalue of the legitimate traffic elimination matrix to thus calculate arank value; and determining by the worm detecting device the networkstate based on the rank value to thus determine a state of the network.2. The worm detecting method of claim 1, wherein the elimination oflegitimate traffic further includes: performing an XOR operation on thesecond traffic matrix and the third traffic matrix to acquire a firstmatrix; and performing an AND operation on the first matrix and thefirst traffic matrix to acquire a second matrix, wherein the legitimatetraffic elimination matrix is generated by performing an XOR operationon the first matrix and the second matrix.
 3. The worm detecting methodof claim 1, wherein in the generation of a traffic matrix, when aspecific flow is collected in the collection of traffic, a matrix entrycorresponding to an IP address of the flow of the first traffic matrix,the second traffic matrix, and the third traffic matrix is changed from0 to
 1. 4. The worm detecting method of claim 1, wherein, in thecalculation of a rank value, the rank value is a number of rows otherthan 0 generated by applying Gaussian elimination to the legitimatetraffic elimination matrix.
 5. The worm detecting method of claim 4,wherein, in the calculation of a rank value, when the rank value is r,the probability in which the legitimate traffic elimination matrix isnot a random matrix is P, and the sizes of a row and a column of thelegitimate traffic elimination matrix are m and n respectively, the rankvalue is expressed as$P = {2^{{r{({n + m - r})}} - {n\; m}}{\prod\limits_{i = 0}^{r - 1}{\frac{\left( {1 - 2^{i - n}} \right)\left( {1 - 2^{i - m}} \right)}{\left( {1 - 2^{i - r}} \right)}.}}}$6. The worm detecting method of claim 1, wherein, in the determinationof a network state, when the rank value is greater than a predeterminedreference value, the network is determined to be infected by a worm. 7.The worm detecting method of claim 1, wherein, in the determination of anetwork state, when the rank value is dramatically reduced to approach0, the network is determined to be infected by a worm.
 8. The wormdetecting method of claim 6, wherein the reference value is the maximumrank value for a specific probability in which the legitimate trafficelimination matrix is not a random matrix.
 9. A worm detecting devicecomprising: a traffic collector for collecting traffic provided to anetwork; a traffic matrix generator for generating a first trafficmatrix for showing a characteristic of the traffic in a first timedomain beginning at a first time, a second traffic matrix for showing acharacteristic of the traffic in a second time domain beginning at asecond time that is an end time of the first time domain, and a thirdtraffic matrix for showing a characteristic of the traffic in a thirdtime domain beginning at a third time that is an end time of the secondtime domain; a legitimate traffic eliminator for eliminating a matrixentry corresponding to a legitimate flow in the first time domain, thesecond time domain and the third time domain, and eliminating a matrixentry corresponding to the flow having ended or started at the exacttime of the second time and the flow having ended at the third time fromthe legitimate flow to generate a legitimate traffic elimination matrix;a rank value calculator for calculating a rank value of the legitimatetraffic elimination matrix; and a network state determiner fordetermining the network state based on the rank value.
 10. The wormdetecting device of claim 9, wherein the legitimate traffic eliminatorperforms an XOR operation on the second traffic matrix and the thirdtraffic matrix to acquire a first matrix and performs an AND operationon the first matrix and the first traffic matrix to acquire a secondmatrix, and performs an XOR operation on the first matrix and the secondmatrix to generate the legitimate traffic elimination matrix.
 11. Theworm detecting device of claim 9, wherein the traffic matrix generatorchanges a matrix entry corresponding to an IP address of the flow of thefirst traffic matrix, the second traffic matrix, and the third trafficmatrix from 0 to 1 when a specific flow is collected in the collectionof traffic.
 12. The worm detecting device of claim 9, wherein the rankvalue calculator calculates a number of rows other than 0 generated byapplying Gaussian elimination to the legitimate traffic eliminationmatrix as the rank value.
 13. The worm detecting device of claim 12,wherein when the rank value is r, the probability in which thelegitimate traffic elimination matrix is not a random matrix is P, andthe sizes of a row and a column of the legitimate traffic eliminationmatrix are m and n respectively, the rank value calculator generates therank value according to the subsequent equation:$P = {2^{{r{({n + m - r})}} - {n\; m}}{\prod\limits_{i = 0}^{r - 1}{\frac{\left( {1 - 2^{i - n}} \right)\left( {1 - 2^{i - m}} \right)}{\left( {1 - 2^{i - r}} \right)}.}}}$14. The worm detecting device of claim 9, wherein the network statedeterminer determines that the network is infected by a worm when therank value is greater than a predetermined reference value.
 15. The wormdetecting device of claim 9, wherein the network state determinerdetermines that the network is infected by a worm when the rank value isdramatically reduced to approach
 0. 16. The worm detecting device ofclaim 14, wherein the reference value is the maximum rank value for aspecific probability in which the legitimate traffic elimination matrixis not a random matrix.